K8TRE - base infrastructure options: DNS

[manics]

There are two DNS providers to potentially discuss, in-cluster, and external to the cluster. Can we limit the discussion to just in-cluster DNS, or do we need to consider external DNS too?

[manics]

AWS:

• EKS defaults to CoreDNS for in-cluster DNS. This is pretty standard, e.g. it provides DNS for K8S services.
• If we want external DNS that's done with Route 53 which is a full DNS service including public/private zones, all types of DNS records, etc. I don't think this is needed though for K8TRE- external DNS can probably be delegated to an organisations existing DNS server?

[vvcb]

We will need DNS outside of K8S to route to applications running on k8s.

For instance, a user accessing jupyter.k8tre.org should be routed to the correct loadbalancer IP address from where the on-cluster nginx ingress controller will direct them to the correct service. If we are setting the host option on ingress for any application, then we will need something outside the cluster that resolves this. We use Azure private DNS zones to do this now and in our new environment will be using Application gateway.

I agree that this will need to be delegated to the organisations. But, if we can all use the same internal domain private DNS zone names and entries for k8tre, we can have have different public FQDNs pointing to our individual organisation's IP address(es), resolving to the same private DNS entries and ingress should still work.

I am not sure about on-prem yet. I have previously setup DataSHIELD on microk8s behind nginx with a custom host name that was set by modifying the /etc/hosts file. Hacky as hell.

TL;DR: K8TRE should recommend options but agree that this shouldn't be part of the core implementation.

[manics]

A diagram of internal and external network connections would be useful. For example, if we have a single web ingress for the TRE to provide external access then internally all services can use the internal K8s service name, so there shouldn't be a need for internal ingress.

[vvcb]

I am not sure we will be able to do this without an ingress-controller on k8s. But, let's discuss. User journey diagrams below - thanks to Gemma on Ollama 😄

[gsvarovsky]

On the naming point, in principle, all services/apps that rely on another service/app should be configured with that app's address. So the actual addressing convention can vary (we could make a recommendation though).

https://12factor.net/backing-services

[manics]

Oops, I meant to say here shouldn't be a need for an internal load-balancer!

[vvcb]

graph TD
  subgraph Public Internet
    A[Public Internet] --> B(Public DNS Resolver);
  end

  subgraph Azure VNet Private
    subgraph DNS Zone
      D(Private DNS Zone)
    end

    subgraph Ingress & Load Balancing
      E(Application Gateway) --> F{Azure Firewall}
      F --> G(Load Balancer)
      G --> H(Nginx Ingress Controller)
      H --> I(Kubernetes Service)
      I --> J(Kubernetes Pods)
      J --> K[Microservice]
    end

    subgraph Kubernetes Cluster
      I -- "Kubernetes Service" --> J
    end

    B --> D{Private DNS}
    D --> E
  end

Loading

Explanation and Key Components:

• Public Internet (A): The starting point for external requests.
• Public DNS Resolver (B): Resolves the public domain name to the IP address of the Application Gateway. This is crucial for external users to find the service.
• Private DNS Zone (D): This Azure DNS Zone holds private records, mapping the service's public domain name to the private IP address of the Application Gateway. This mapping is only visible within the Azure VNet.
• Application Gateway (E): This acts as the entry point from the public internet. It provides features like SSL termination, routing, and potentially web application firewal (WAF) capabilities. This is the public facing component.
• Azure Firewall (F): A critical security component. It inspects traffic before it reaches the load balancer and Kubernetes cluster, preventing unauthorized access and malicious requests. This helps maintain the security of the private network.
• Load Balancer (G): Distributes traffic across multiple nodes in the Kubernetes cluster. This enhances availability and scalability. Could be an Azure Load Balancer or a similar service.
• Nginx Ingress Controller (H): Manages external access to services within the Kubernetes cluster. It acts as a reverse proxy and load balancer within Kubernetes, routing traffic to the appropriate services.
• Kubernetes Service (I): An abstraction layer that exposes applications running in the Kubernetes cluster. It provides a stable endpoint for accessing the microservice, even if the underlying pods change.
• Kubernetes Pods (J): The smallest deployable units in Kubernetes, containing one or more containers. This is where the actual microservice code is running (K).
• Microservice (K): The application being exposed.

Traffic Flow:

1. User Request: A user initiates a request to the service's public domain name (e.g., myservice.example.com).
2. DNS Resolution: The Public DNS Resolver finds the corresponding IP address through Public DNS.
3. Private DNS Mapping: The Application Gateway (E) utilizes the Private DNS Zone (D) to resolve the public domain name to its private IP address. This ensures that the traffic is directed to the private network.
4. Application Gateway Inspection: The Application Gateway handles SSL termination, performs routing, and can apply WAF rules.
5. Firewall Inspection: Azure Firewall inspects the traffic to prevent unauthorized access.
6. Load Balancing: The Load Balancer distributes traffic among the Nginx Ingress Controller.
7. Ingress Routing: The Nginx Ingress Controller routes traffic to the appropriate Kubernetes Service.
8. Service Routing: The Kubernetes Service forwards the request to the correct Pod(s) running the microservice.

Key Considerations and Potential Enhancements:

• Private DNS Configuration: Proper configuration of the Private DNS Zone is essential for this setup to work correctly. The zone needs to be linked to the Virtual Network and the Application Gateway must be configured to use it.
• Security: The Azure Firewall is a crucial element for security. Configure appropriate rules to restrict access and protect the cluster.
• SSL Certificates: Ensure that the Application Gateway has a valid SSL certificate for the public domain name.
• Monitoring: Implement monitoring and logging to track traffic flow and identify potential issues.
• Service Mesh (Optional): Consider using a service mesh (e.g., Istio) for more advanced traffic management, security, and observability within the Kubernetes cluster.
• Autoscaling: Configure autoscaling for the Application Gateway, Load Balancer, and Kubernetes cluster to handle varying traffic loads.

An equivalent cloud-agnostic version would something like below:

graph TD
    %% External Components
    Client[External User] -->|Internet| PublicDNS[Public DNS]
    PublicDNS -->|DNS Resolution| PublicIP[Public IP Address]
    PublicIP -->|HTTPS| AppGW[API Gateway/Reverse Proxy]
    
    %% Network Security
    AppGW -->|Traffic Filtering| Firewall[Network Firewall]
    
    subgraph "Private Virtual Network"
        %% Private DNS
        subgraph "Private DNS Zone"
            PrivDNS[Private DNS Records]
        end
        
        %% Access & Security Layer
        Firewall -->|Allowed Traffic| LB[Load Balancer]
        
        %% Kubernetes Cluster
        subgraph "Kubernetes Cluster"
            %% Ingress Layer
            LB -->|Traffic Routing| Ingress[Ingress Controller]
            
            %% Kubernetes Services
            Ingress -->|Service Discovery| K8sService[Kubernetes Service]
            
            %% Microservice Pods
            K8sService -->|Load Balancing| Pod1[Microservice Pod 1]
            K8sService -->|Load Balancing| Pod2[Microservice Pod 2]
            K8sService -->|Load Balancing| Pod3[Microservice Pod 3]
        end
        
        %% Internal Service Discovery
        PrivDNS -.->|Service Resolution| K8sService
    end
   

Loading

[manics]

What records does the Private DNS Zone contain- is it for services external to the K8S cluster, but internal to the organisation's network? For in-cluster services the default CoreDNS should be fine, so you can access services by servicename.namespace without a separate DNS server.

[m1p1h]

@manics @vvcb

Building on this earlier discussion, below I've outlined the current implementation we've taken for public HTTP/s ingress into a K8TRE cluster env (where where we have clusters for prod, stg and dev). This includes the prereqs on the cluster configuration, ingress route from an external/shared public gateway (defined in the underlying infrastructure) to an internal cluster gateway (managed by Cilium Gateway operator) plus the public/private DNS resolution at each step.

Cluster/Argo Prerequisties

Cilium CNI Plugin

The k8s cluster whether AKS, EKS or K3s etc must utilise cilium as the primary CNI for L4/7 routing and in future for managing routes with cilium network policies. In particular, the Gateway API must be enabled in cilium with cilium set to replace kube-proxy e.g. If K8TRE argocd label skip-cilium is false the argo helm release should ensure:

kubeProxyReplacement=true
gatewayAPI.enabled=true

In addition if skip-cilium is false, argocd must install core Gateway API CRDs before installing Cilium outlined here e.g. YAML:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_gateways.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_httproutes.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/gateway-api/v1.2.0/config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml

ExternalDNS

ExternalDNS should also be installed via K8TRE argoCD. In the case of K8TRE on Azure, ExternalDNS is configured with federated identity management with the underlying infrastructure providing a private DNS zone per cluster that the ExternalDNS service can talk to to manage DNS dynamically.

Internal K8TRE Gateway

The K8TRE ArgoCD must initialise a 'Gateway' instance of the cilium GatewayClass e.g.:

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: internal-gateway
  namespace: gateway-system
  labels:
    app.kubernetes.io/name: cluster-ingress
    app.kubernetes.io/component: gateway
spec:
  gatewayClassName: cilium
  listeners:
  - name: http
    port: 80
    protocol: HTTP
  - name: https
    port: 443
    protocol: HTTPS

This will create the internal Gateway along with a service object. The service creation is automated and will be named cilium-gateway-<name_of_gateway>. The service must be patched to include annotations dependent on the underlying infrastructure providing the service load balancer e.g. for running on Azure this looks like:

annotations:
   service.beta.kubernetes.io/azure-load-balancer-internal: "true",
   service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "snet-clusteringressservices",
   service.beta.kubernetes.io/azure-load-balancer-health-probe-request-path: "/healthz",
   external-dns.alpha.kubernetes.io/hostname: "gw.k8tre.internal"

For AWS:

  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-0123456789abcdef0"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/healthz"
    external-dns.alpha.kubernetes.io/hostname: "gw.k8tre.internal"

HTTP Routes

Routing to internal services that require public access can be defined with HTTPRoute definitions that associate the route to a defined Gateway (internal-gateway) and service (jupyterhub) e.g:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: jupyter-route
  namespace: gateway-system
spec:
  parentRefs:
  - name: internal-gateway
    namespace: gateway-system
  hostnames:
    - "jupyter.k8tre.internal"
  rules:
    - backendRefs:
        - name: jupyterhub
          port: 80

For K8TRE this means we use Cilium Gateway API as a cloud agnostic implementation of a cluster Gateway with the constraint that the service attached to the gateway defined must have a ingress/egress route out to the internet using a internal/private load balancer provided by the underlying infrastructure. From there, it is upto the operator of K8TRE to decide how they plugin in a external gateway to route traffic to the internal gateway (internal/private load balancer).

Certain external cloud gateways (Azure App Gateway) that will likely integrate with K8TRE's internal gateway will require a path-orietnated route that provides health probes a means to ping the health of the gateway as a backend target. Therefore, a route definition similar to the following will be required.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: gw-health-probe-route
  namespace: gateway-system
spec:
  parentRefs:
    - name: internal-gateway
      namespace: gateway-system
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: gw-echo
          port: 80

Gateway Ingress on Azure-Provisioned K8TRE

For a Azure deployment of K8TRE we use Azure Application Gateway v2 (AppGW) as the external gateway to route HTTP/S traffic into a hub and spoke based infrastructure where the AppGW sits on the hub as a shared resource and routes traffic to each internal/private K8TRE cluster (prod,stg,dev) deployed to its own spoke. Our approach to AppGW firewall integration follows the architecture outlined here.

Through the use of public and private DNS zones (managed by ExternalDNS running in the clusters) traffic is routed to the Gateway service (with hostname gw.k8tre.internal for prod, gw.dev.k8tre.internal for dev etc) using a series of AppGW listeners, host rewrite rules and backend pool targets. The following flow diagram highlights the key components involved:

Note, LTH brands K8TRE as KARECTL. Operators will need to establish their own public facing domain and map hostnames for K8TRE defined services (i.e. gw.k8tre.internal for Internal Gateway).